This is a quick little tutorial that was sparked by a question I answered in one of the forums the other day, and it makes a nice follow-up to my last tutorial on file permissions.

Linux includes a fantastic little tool for keeping track of file permissions on your system - the find command. You can search for files based on permissions, owners, or groups and output the result to a text file. The following examples will search for some common high-risk files, but I encourage you to use man find to learn more about this great tool and figure out other ways to put it to good use.

This will find all files on the system with the SUID or SGID bit set and output the result to a file called suidfiles.txt:

/usr/bin/find / -type f \( -perm -004000 -o -perm -002000 \) -exec ls -lg {} \; 2>/dev/null >suidfiles.txt

These files are traditionally considered high-risk files because they permit anyone to execute the command with root privileges and may be used by an attacker to escalate his/her privileges to root. Once these files are identified, you can remove the SUID bit with chmod -s <filename>. DO NOT remove the bit on su, passwd, or gpasswd.

This will search for all files that are world writable, of which there typically shouldn't be any:

/usr/bin/find / -type f -perm -2 -exec ls -lg {} \; 2>/dev/null >worldwritable.txt

You can remove the world writable bit on these files with chmod o-w <filename>.

If you want to really tighten things down, you can also search for files that are group writable. This bit can be removed with chmod g-w <filename>:

/usr/bin/find / -type f -perm -20 -exec ls -lg {} \; 2>/dev/null >groupwritable.txt

You can also search for files owned by a particular user or group by substituting the -user or -group options for the -perm option:

/usr/bin/find / -type f -user problemchild -exec ls -lg {} \; 2>/dev/null >problemchildfiles.txt

Note: Always use the absolute path to the binary when working as root.